On Mon, 05 Nov 2007 10:22:15 -0500, Thomas Roessler <[EMAIL PROTECTED]> wrote:
There are two points here:
1. There is a design decision at least in Xforms to enable
cross-site POST with XML content.
[2]. You are "vulnerable" to a cross-site POST if your *user* has
xforms support active. If you deploy a web application (or Web
Service) that is vulnerable to cross-site POST with an XML content
type, you probably have a problem.
Together, these suggest to me that trying to avoid specifically XML
content in unattended cross-site POST requests (if they are caused
by XHR) is an exercise that's not worth the effort.
Given that XForms isn't widely deployed at all I'm not sure we should
simply declare cross-site POST with more capabilities than <form> POST
safe. Also, we're trying to address more than POST and GET.
<form> POST is not relevant to the discussion at hand.
XMLHttpRequest POST follows the model with Method-Check, etc.
You're not answering my question.
I don't understand it then, I suppose.
Key words: "from the perspective of the site that needs to handle
these requests"
You already said that. I'm not sure how you think that helps.
There is a difference between deploying a web application and
deploying a different HTTP stack.
Well yes, some changes have to be made in order to support this.
This is not that complicated though with typical server-side
languages.
We seemed to have a goal to do it all without server changes at some
point. Seems that has been lost.
At some point this draft only addressed the GET case. We then merged the
XMLHttpRequest Level 2 proposal for non-GET cases into this draft.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
